Closed
Bug 361517
Opened 18 years ago
Closed 16 years ago
Don't fill in passwords / usernames in readonly fields.
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9.1b1
People
(Reporter: moscovic, Assigned: Dolske)
References
Details
Attachments
(1 file, 1 obsolete file)
4.86 KB,
patch
|
Gavin
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 If there is a input field like this: <input type="password" name="password" value="password" readonly="readonly"> firefox still remembers the password here... Next time the page is loaded (e. g. for other user) the password is replacen by the remembered password even if there is a readonly attribute! passwords for readonly fields shouldn't be saved, because in that case user cannot retype them! Reproducible: Always Steps to Reproduce: 1. create a page with <input type="password" name="password" value="password" readonly="readonly"> 2. submit pade and enable firefox to remember the password 3. change the page to 1. create a page with <input type="password" name="password" value="pass" readonly="readonly"> Actual Results: load the page... firefox will replace the password on load (the nuber of "stars" will change) submit the page and check that it passes the remembered password Expected Results: expected result will be, that the read only password wouldn't be offered to save... or after loading and submiting changed page the passed password would be the new one
Comment 1•18 years ago
|
||
*** Bug 331441 has been marked as a duplicate of this bug. ***
Comment 2•18 years ago
|
||
*** Bug 294458 has been marked as a duplicate of this bug. ***
Comment 3•18 years ago
|
||
*** Bug 312877 has been marked as a duplicate of this bug. ***
Comment 4•18 years ago
|
||
Just to be sure I'm working on the right problem: is the form where you see the problem password-only, with no username? And is your saved password from a password-only form, or with a blank username, or a username-password pair? (Yes, we could just bail out whenever we see anything readonly, but that would sometimes be wrong, e.g. with a readonly prefilled username we know, and an unfilled non-readonly password.)
I don't really understand why the long time opened and confirmed bugs 331441 (Opened: 2006-03-23) 312877 (Opened: 2005-10-18), 294458 (Opened: 2005-05-17) were marked as duplicate of this one which is marked as UNCONFIRMED ? you might have made a mistake
Comment 6•18 years ago
|
||
They were all marked as duplicates of a bug which did fix their reported problem. They are marked as duplicates of a bug which (probably, though not certainly) will again fix their reported problem, in a different way. This is not an issue which is worth the death of several million electrons.
Assignee | ||
Comment 7•17 years ago
|
||
I don't see why the password mananger shouldn't remember readonly fields. They are, after all, readable. As for filling them in... I can see two sides to the issue. One is that we shouldn't modify a readonly field, because the user can't either. On the other hand, readonly fields are only a UI convention, and scripts have always been allowed to modify them.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: PC → All
Summary: saving and rewriting passwords in input type="password" with readonly="readonly" → should passwords be filled in for readonly pw fields?
Version: unspecified → 2.0 Branch
Comment 8•17 years ago
|
||
I have two problems with this issue: 1) What sense does a read-only password field make (i.e. what's a reasonable use case)? IMHO read-only fields are an _output_ aid, but with type "password" you won't actually see anything reasonable. 2) The password manager might _remember_ read-only fields, but it probably should not _fill in_ read-only fields. This is independent from the fact that a script might change them, because the "script" is expected to come from the same source as the rest of the HTTP application. The browser should not interfere with that in an unexpected way.
Assignee | ||
Comment 9•17 years ago
|
||
Random note: Camino bug 384635 was for filling in disabled fields, another case similar to this bug.
Assignee | ||
Comment 10•17 years ago
|
||
We just made a similar change to not fill in values that exceed an input's maxlength, which was beneficial for sites with mixed username/password + PIN logins. This change may have similar benefits.
Assignee: nobody → dolske
Summary: should passwords be filled in for readonly pw fields? → Don't fill in passwords / usernames in readonly fields.
Target Milestone: --- → Firefox 3 M10
Assignee | ||
Comment 11•17 years ago
|
||
Untested, but it's simple enough. However, I think I should first shuffle some code around so the same thing happens when you (1) initially fill the form on page load and (2) perform an autocomplete entry. I'll file a blocking bug.
Assignee | ||
Updated•17 years ago
|
Assignee: dolske → nobody
Target Milestone: Firefox 3 beta2 → ---
Assignee | ||
Comment 12•16 years ago
|
||
Simpler version of last patch.
Assignee: nobody → dolske
Attachment #285848 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #329275 -
Flags: review?(gavin.sharp)
Assignee | ||
Updated•16 years ago
|
Target Milestone: --- → Firefox 3.1a1
Updated•16 years ago
|
Product: Firefox → Toolkit
Assignee | ||
Updated•16 years ago
|
Whiteboard: [need review gavin]
Assignee | ||
Updated•16 years ago
|
Target Milestone: mozilla1.9.1a1 → mozilla1.9.1
Updated•16 years ago
|
Attachment #329275 -
Flags: review?(gavin.sharp) → review+
Assignee | ||
Comment 13•16 years ago
|
||
Pushed changeset 9c433cbaff34.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [need review gavin]
Target Milestone: mozilla1.9.1 → mozilla1.9.1b1
Comment 15•7 years ago
|
||
duplicate bug
You need to log in
before you can comment on or make changes to this bug.
Description
•